-
Notifications
You must be signed in to change notification settings - Fork 23
132 lines (108 loc) · 4.31 KB
/
dast-scan.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# /********************************************************************************
# * Copyright (c) 2023 Contributors to the Eclipse Foundation
# *
# * See the NOTICE file(s) distributed with this work for additional
# * information regarding copyright ownership.
# *
# * This program and the accompanying materials are made available under the
# * terms of the Apache License, Version 2.0 which is available at
# * https://www.apache.org/licenses/LICENSE-2.0.
# *
# * Unless required by applicable law or agreed to in writing, software
# * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# * License for the specific language governing permissions and limitations
# * under the License.
# *
# * SPDX-License-Identifier: Apache-2.0
# ********************************************************************************/
name: DAST scan (OWASP ZAP)
on:
workflow_dispatch:
pull_request:
paths:
- 'src/main/**'
push:
paths:
- 'src/main/**'
jobs:
dast-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Helm
uses: azure/setup-helm@v3
with:
version: v3.12.3
- name: Set up Taskfile
uses: arduino/setup-task@v1
- uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: '17'
- name: Add bitnami repo
run: |
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update
- name: Update Helm dependencies
run: |
cd charts/managed-identity-wallet
helm dependency build
- name: Build app
run: SKIP_GRADLE_TASKS_PARAM="-x jacocoTestCoverageVerification -x test" GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} task app:build
- name: Kubernetes KinD Cluster
uses: container-tools/kind-action@v2
with:
node_image: 'kindest/node:v1.27.3'
version: v0.20.0
- name: Build image
uses: docker/build-push-action@v4
with:
context: .
push: true
tags: kind-registry:5000/miw:testing
- name: Install the chart on KinD cluster
run: helm install -n apps --create-namespace --wait --set image.tag=testing --set=image.repository=kind-registry:5000/miw testing charts/managed-identity-wallet
- name: Configure port forward to app in KinD
run: |
echo "Getting Agent IP..."
IP_ADDR=$(hostname -i)
echo "-> IP: $IP_ADDR"
echo "IP_ADDR=$IP_ADDR" >> $GITHUB_ENV
POD_NAME=$(kubectl get pods --namespace apps -l "app.kubernetes.io/name=managed-identity-wallet,app.kubernetes.io/instance=testing" -o jsonpath="{.items[0].metadata.name}")
CONTAINER_PORT=$(kubectl get pod --namespace apps $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
echo "Port-forwarding 0.0.0.0:8080 to $POD_NAME:$CONTAINER_PORT..."
kubectl --namespace apps port-forward $POD_NAME 8080:$CONTAINER_PORT --address 0.0.0.0 &
# Sleep for 4 seconds to ensure, that the port-forward is established
- name: Sleep for 4s
uses: juliangruber/sleep-action@v1
with:
time: 4s
- name: Generating report skeletons
if: success() || failure()
run: |
touch report_md.md report_html.html
chmod a+w report_md.md report_html.html
ls -lrt
- name: Run ZAP scan
run: |
set +e
echo "Pulling ZAP image..."
docker pull ghcr.io/zaproxy/zaproxy:stable -q
echo "Starting ZAP Docker container..."
docker run -v ${GITHUB_WORKSPACE}:/zap/wrk/:rw ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py -t http://$IP_ADDR:8080/docs/api-docs/docs -f openapi -w report_md.md -r report_html.html -T 1
echo "... done."
- name: Add Summary
if: success() || failure()
run: |
echo "Publishing Job summary... "
cat report_md.md >> $GITHUB_STEP_SUMMARY
- name: Upload HTML report
if: success() || failure()
uses: actions/upload-artifact@v3
with:
name: ZAP scan report
path: ./report_html.html